During a code audit, Stefan Esser discovered a double free()vulnerability[2][3] in the CVS code. This vulnerability can beexploited by remote users, authenticated or anonymous, to executearbitrary commands on the server.

Please note that users with write access to CVS (the so calledcommiters) usually already have shell access on the server, or caneasily get shell access as has already been discussed elsewhere[4].

Besides fixing the double free vulnerability, the new packagesprovided with this update now have the Checkin-prog and Update-progcommands disabled.

UPDATEThe previous CVS update (CLSA-2003:560), while indeed fixing thesecurity vulnerability, introduced problems which prevented it frombeing used due to the way the Checkin-prog and Update-prog commandswhere disabled. This has now been fixed.

Solution:The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade'